Facebook has also been told to improve users’ control over social adverts.
Photograph: Sarah Lee for the Guardian

Facebook has been told to stop its practice of indefinitely retaining data about which adverts its 500 million users outside the US click on, following a review by the Irish data protection commissioner of its non-US operations.

It has also agreed to take immediate steps over data collected from third-party sites when people use their Facebook identity to log in to them. Until now, that data about people's behaviour was passed back to Facebook and retained indefinitely. Following the review, Facebook can keep the data but it has to make it anonymous – for example it can share how many people clicked on an advert but can't provide details of specific users – within 10 days and completely delete the data after 90.

The social network has also been told to improve users' control over social adverts, and simplify its explanations of its privacy policies which must also be made more prominent for new users, following a detailed report by the commissioner.

Facebook, which has about 800m users worldwide, has also been told to make it clear to users how their personal data can be used for "targeted advertising" – where advertisers can ask for ads to be shown to a particular demographic, and Facebook will then anonymously select people who fit that profile.

The investigation by the Irish DPC is one of a growing number of privacy investigations into the social networking site, which has been criticised on a number of occasions for rolling back user privacy without adequate explanation or control. The new changes are likely to be made across the entire site worldwide, including the US, suggested Richard Allan, its European director of policy.

The report follows a finding in November by the US Federal Trade Commission over Facebook's constant changing of privacy settings that will give the FTC oversight of its privacy and data protection issues for the next 20 years.

In a response to the report Allan said: "We're particularly pleased that the report highlighted a number of Facebook's strengths or best practices."

The 143-page investigation by the Irish data protection commission follows complaints made by an Austrian group calling itself "Europe-versus-Facebook" that complained last year that they believed Facebook broke European data privacy laws. The Irish commissioner Billy Hawkes insisted the group had not triggered the investigation. But, he said: "Their well-researched complaints performed a very valuable public service which helped us in terms of framing our investigation."

A spokesman for the group responded that "as a first step we are happy about the report because it limits the ability of Facebook to mess with user data more than we expected."

He added: "This is, according to the Irish data protection commissioner, the first step of a long way to make Facebook comply with European laws."

Responding to the report, Facebook said it would shift to a two-year retention period for the ad-click data. It has agreed to other recommendations made by the commissioner.

The commissioner was critical of the way that people can be added to Facebook Groups without their consent, and noted that people should be able to delete content and know that it had been removed. Facebook agreed to seek user consent ahead of being added to a Group, and that it will provide more information about data deletion.

"Social ads" will come under the control of users via their privacy settings under the new proposals, and users will be given the option to block or control ads they don't want to see again.

The site will also have to make it clear if login activity from different browsers and machines is recorded; Facebook will provide more information in a revised Data Use Policy by the end of the first quarter of 2012.

Facebook was praised by the commissioner for its "positive approach and commitment" to respecting users' privacy rights. The Irish commissioner took charge of the audit because Facebook's European – and also non-US – headquarters are located in Dublin, and so any "contract" that users have with the organisation is through that office.

The site, launched in 2004, was judged against the European Union's data collection principles – that personal data should be collected "fairly", that individuals should be given comprehensive information on how that data will be used, that the data should not be excessive, be held securely and deleted once no longer needed for a legitimate purpose. Individuals should also have the right to access their personal data held by Facebook, with some exceptions.